upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-15 22:09:31 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

new draft

Browse source
This commit is contained in:
Mark Andrews 2004-10-27 00:48:51 +00:00
parent b6f837397d
commit 619900b7c0
6 changed files with 2531 additions and 2228 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1344
doc/draft/draft-ietf-dnsop-dnssec-operational-practices-01.txt
View file

File diff suppressed because it is too large Load diff

1400
doc/draft/draft-ietf-dnsop-dnssec-operational-practices-02.txt Normal file
View file

File diff suppressed because it is too large Load diff

301
doc/draft/draft-ietf-dnsop-inaddr-required-05.txt Normal file
View file

@ -0,0 +1,301 @@
INTERNET-DRAFT D. Senie
Category: BCP Amaranth Networks Inc.
Expires in six months April 2004
Encouraging the use of DNS IN-ADDR Mapping
draft-ietf-dnsop-inaddr-required-05.txt
Status of this Memo
This draft, is intended to be become a Best Current Practice RFC.
Distribution of this document is unlimited. Comments should be sent
to the Domain Name Server Operations working group mailing list
<dnsop@cafax.se> or to the author.
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of [RFC2026].
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
To view the list Internet-Draft Shadow Directories, see
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (2000-2002). All Rights Reserved.
Abstract
Mapping of addresses to names has been a feature of DNS. Many sites,
implement it, many others dont. Some applications attempt to use it
as a part of a security strategy. The goal of this document is to
encourage proper deployment of address to name mappings, and provide
guidance for their use.
1. Introduction
The Domain Name Service has provision for providing mapping of IP
addresses to host names. It is common practice to ensure both name to
address, and address to name mappings are provided for networks. This
practice, while documented, has never been documented as a
requirement placed upon those who control address blocks. This
Senie [Page 1]
Internet-Draft Encouraging the use of DNS IN-ADDR Mapping April 2004
document fills this gap.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Discussion
From the early days of the Domain Name Service [RFC 883] a special
domain has been set aside for resolving mappings of IP addresses to
domain names. This was refined in [RFC1035], describing the .IN-
ADDR.ARPA in use today.
The assignment of blocks of IP Address space was delegated to three
regional registries. Guidelines for the registries are specified in
[RFC2050], which requires regional registries to maintain IN-ADDR
records on the large blocks of space issued to ISPs and others.
ARINs policy requires ISPs to maintain IN-ADDR for /16 or larger
allocations. For smaller allocations, ARIN can provide IN-ADDR for
/24 and shorter prefixes. [ARIN]. APNIC provides methods for ISPs to
update IN-ADDR, however the present version of its policy document
for IPv4 [APNIC] dropped the IN-ADDR requirements that were in draft
copies of this document. As of this writing, it appears APNIC has no
actual policy on IN-ADDR. RIPE appears to have the strongest policy
in this area [ripe-185] indicating Local Internet Registries are
required to perform IN-ADDR services, and delegate those as
appropriate when address blocks are delegated.
As we can see, the regional registries have their own policies for
requirements for IN-ADDR maintenance. It should be noted, however,
that many address blocks were allocated before the creation of the
regional registries, and thus it is unclear whether any of the
policies of the registries are binding on those who hold blocks from
that era.
Registries allocate address blocks on CIDR [RFC1519] boundaries.
Unfortunately the IN-ADDR zones are based on classful allocations.
Guidelines [RFC2317] for delegating on non-octet-aligned boundaries
exist, but are not always implemented.
3. Effects of missing IN-ADDR
Many applications use DNS lookups for security checks. To ensure
validity of claimed names, some applications will look up IN-ADDR
records to get names, and then look up the resultant name to see if
it maps back to the address originally known. Failure to resolve
matching names is seen as a potential security concern.
Senie [Page 2]
Internet-Draft Encouraging the use of DNS IN-ADDR Mapping April 2004
Some popular FTP sites will flat-out reject users, even for anonymous
FTP, if the IN-ADDR lookup fails or if the result of the IN-ADDR
lookup when itself resolved, does not match. Some Telnet servers also
implement this check.
Web sites are in some cases using IN-ADDR checks to verify whether
the client is located within a certain geopolitical entity. This is
being employed for downloads of crypto software, for example, where
export of that software is prohibited to some locales. Credit card
anti-fraud systems also use these methods for geographic placement
purposes.
The popular TCP Wrappers program found on most Unix and Linux systems
has options to enforce IN-ADDR checks and to reject any client that
does not resolve.
Wider-scale implementation of IN-ADDR on dialup, CDPD and other such
client-oriented portions of the Internet would result in lower
latency for queries (due to lack of negative caching), and lower name
server load and DNS traffic.
Some anti-spam (anti junk email) systems use IN-ADDR to verify return
addresses before accepting email.
Many web servers look up the IN-ADDR of visitors to be used in log
analysis. This adds to the server load, but in the case of IN-ADDR
unavailability, it can lead to delayed responses for users.
Traceroutes with descriptive IN-ADDR naming proves useful when
debugging problems spanning large areas. When this information is
missing, the traceroutes take longer, and it takes additional steps
to determine that network is the cause of problems.
4. Requirements
4.1 Delegation Requirements
Regional Registries and any Local Registries to whom they delegate
SHOULD establish and convey a policy to those to whom they delegate
blocks that IN-ADDR mappings are required. Policies SHOULD require
those receiving delegations to provide IN-ADDR service and/or
delegate to downstream customers.
Network operators SHOULD define and implement policies and procedures
which delegate IN-ADDR to their clients who wish to run their own IN-
ADDR DNS services, and provide IN-ADDR services for those who do not
have the resources to do it themselves. Delegation mechanisms MUST
permit the downstream customer to implement and comply with IETF
Senie [Page 3]
Internet-Draft Encouraging the use of DNS IN-ADDR Mapping April 2004
recommendations application of IN-ADDR to CIDR [RFC2317].
All IP address space assigned and in use SHOULD be resolved by IN-
ADDR records. All PTR records MUST use canonical names.
All IP addresses in use within a block SHOULD have an IN-ADDR
mapping. Those addresses not in use, and those that are not valid for
use (zeros or ones broadcast addresses within a CIDR block) need not
have mappings.
It should be noted that due to CIDR, many addresses that appear to be
otherwise valid host addresses may actually be zeroes or ones
broadcast addresses. As such, attempting to audit a sites degree of
compliance can only be done with knowledge of the internal routing
structure of the site. However, any host that originates an IP packet
necessarily will have a valid host address, and must therefore have
an IN-ADDR mapping.
4.2 Application Requirements
Applications SHOULD NOT rely on IN-ADDR for proper operation. The use
of IN-ADDR, sometimes in conjunction with a lookup of the name
resulting from the PTR record provides no real security, can lead to
erroneous results and generally just increases load on DNS servers.
Further, in cases where address block holders fail to properly
configure IN-ADDR, users of those blocks are penalized.
5. Security Considerations
This document has no negative impact on security. While it could be
argued that lack of PTR record capabilities provides a degree of
anonymity, this is really not valid. Trace routes, whois lookups and
other sources will still provide methods for discovering identity.
By recommending applications avoid using IN-ADDR as a security
mechanism this document points out that this practice, despite its
use by many applications, is an ineffective form of security.
Applications should use better mechanisms of authentication.
6. References
[RFC883] P.V. Mockapetris, "Domain names: Implementation
specification," RFC883, November 1983.
[RFC1035] P.V. Mockapetris, "Domain Names: Implementation
Specification," RFC 1035, November 1987.
[RFC1519] V. Fuller, et. al., "Classless Inter-Domain Routing (CIDR):
Senie [Page 4]
Internet-Draft Encouraging the use of DNS IN-ADDR Mapping April 2004
an Address Assignment and Aggregation Strategy," RFC 1519, September
1993.
[RFC2026] S. Bradner, "The Internet Standards Process -- Revision 3",
RFC 2026, BCP 9, October 1996.
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, BCP 14, March 1997.
[RFC2050] K. Hubbard, et. al., "Internet Registry IP Allocation
Guidelines", RFC2050, BCP 12, Novebmer 1996.
[RFC2317] H. Eidnes, et. al., "Classless IN-ADDR.ARPA delegation,"
RFC 2317, March 1998.
[ARIN] "ISP Guidelines for Requesting Initial IP Address Space," date
unknown, http://www.arin.net/regserv/initial-isp.html
[APNIC] "Policies For IPv4 Address Space Management in the Asia
Pacific Region," APNIC-086, 13 January 2003.
[RIPE185] "European Internet Registry Policies and Procedures,"
ripe-185, October 26, 1998. http://www.ripe.net/docs/ripe-185.html
7. Acknowledgements
Thanks to Peter Koch and Gary Miller for their input, and to many
people who encouraged me to write this document.
8. Authors Address
Daniel Senie
Amaranth Networks Inc.
324 Still River Road
Bolton, MA 01740
Phone: (978) 779-5100
EMail: dts@senie.com
Senie [Page 5]

758
doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-02.txt → doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-04.txt
View file

File diff suppressed because it is too large Load diff

505
doc/draft/draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
View file

@ -1,505 +0,0 @@
IETF DNSOP Working Group Y. Morishita
Internet-Draft JPRS
Expires: July 11, 2004 T. Jinmei
Toshiba
January 11, 2004
Common Misbehavior against DNS Queries for IPv6 Addresses
draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 11, 2004.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
There is some known misbehavior of DNS authoritative servers when
they are queried for AAAA resource records. Such behavior can block
IPv4 communication which should actually be available, cause a
significant delay in name resolution, or even make a denial of
service attack. This memo describes details of the known cases and
discusses the effect of the cases.
1. Introduction
Many DNS clients (resolvers) that support IPv6 first search for AAAA
Resource Records (RRs) of a target host name, and then for A RRs of
Morishita & Jinmei Expires July 11, 2004 [Page 1]
Internet-Draft Common Misbehavior against AAAA Queries January 2004
the same name. This fallback mechanism is based on the DNS
specifications, which if not obeyed by authoritative servers can
produce unpleasant results. In some cases, for example, a web browser
fails to connect to a web server it could otherwise. In the following
sections, this memo describes some typical cases of the misbehavior
and its (bad) effects.
Note that the misbehavior is not specific to AAAA RRs. In fact, all
known examples also apply to the cases of queries for MX, NS, and SOA
RRs. The authors even believe this can be generalized for all types
of queries other than those for A RRs. In this memo, however, we
concentrate on the case for AAAA queries, since the problem is
particularly severe for resolvers that support IPv6, which thus
affects many end users. Resolvers at end users normally send A and/or
AAAA queries only, and so the problem for the other cases is
relatively minor.
2. Network Model
In this memo, we assume a typical network model of name resolution
environment using DNS. It consists of three components; stub
resolvers, caching servers, and authoritative servers. A stub
resolver issues a recursive query to a caching server, which then
handles the entire name resolution procedure recursively. The caching
server caches the result of the query as well as sends the result to
the stub resolver. The authoritative servers respond to queries for
names for which they have the authority, normally in a non-recursive
manner.
3. Expected Behavior
Suppose that an authoritative server has an A RR but not a AAAA RR
for a host name. Then the server should return a response to a query
for a AAAA RR of the name with the RCODE being 0 (indicating no
error) and with an empty answer section [1]. Such a response
indicates that there is at least one RR of a different type than AAAA
for the queried name, and the stub resolver can then look for A RRs.
This way, the caching server can cache the fact that the queried name
does not have a AAAA RR (but may have other types of RRs), and thus
can improve the response time to further queries for a AAAA RR of the
name.
4. Problematic Behaviors
There are some known cases at authoritative servers that do not
conform to the expected behavior. This section describes those
problematic cases.
Morishita & Jinmei Expires July 11, 2004 [Page 2]
Internet-Draft Common Misbehavior against AAAA Queries January 2004
4.1 Return NXDOMAIN
This type of server returns a response with the RCODE being 3
(NXDOMAIN) to a query for a AAAA RR, indicating it does not have any
RRs of any type for the queried name.
With this response, the stub resolver may immediately give up and
never fall back. Even if the resolver retries with a query for an A
RR, the negative response for the name has been cached in the caching
server, and the caching server will simply return the negative
response. As a result, the stub resolver considers this as a fatal
error in name resolution.
There have been several known examples of this behavior, but all the
examples that the authors know have changed their behavior as of this
writing.
4.2 Return NOTIMP
Other authoritative servers return a response with the RCODE being 4
(NOTIMP), indicating the servers do not support the requested type of
query.
This case is less harmful than the previous one; if the stub resolver
falls back to querying for an A RR, the caching server will process
the query correctly and return an appropriate response.
In this case, the caching server does not cache the fact that the
queried name has no AAAA RR, resulting in redundant queries for AAAA
RRs in the future. The behavior will waste network bandwidth and
increase the load of the authoritative server.
Using SERVFAIL or FORMERR would cause the same effect, though the
authors have not seen such implementations yet.
4.3 Return a Broken Response
Another different type of authoritative servers returns broken
responses to AAAA queries. A known behavior of this category is to
return a response whose RR type is AAAA, but the length of the RDATA
is 4 bytes. The 4-byte data looks like the IPv4 address of the
queried host name. That is, the RR in the answer section would be
described like this:
www.bad.example. 600 IN AAAA 192.0.2.1
which is, of course, bogus (or at least meaningless).
Morishita & Jinmei Expires July 11, 2004 [Page 3]
Internet-Draft Common Misbehavior against AAAA Queries January 2004
A widely deployed caching server implementation transparently returns
the broken response (as well as caches it) to the stub resolver.
Another known server implementation parses the response by
themselves, and sends a separate response with the RCODE being 2
(SERVFAIL).
In either case, the broken response does not affect queries for an A
RR of the same name. If the stub resolver falls back to A queries, it
will get an appropriate response.
The latter case, however, causes the same bad effect as that
described in the previous section: redundant queries for AAAA RRs.
4.4 Make Lame Delegation
Some authoritative servers respond to AAAA queries in a way causing
lame delegation. In this case the parent zone specifies that the
authoritative server should have the authority of a zone, but the
server does not return an authoritative response for AAAA queries
within the zone (i.e., the AA bit in the response is not set). On the
other hand, the authoritative server returns an authoritative
response for A queries.
When a caching server asks the server for AAAA RRs in the zone, it
recognizes the delegation is lame, and return a response with the
RCODE being 2 (SERVFAIL) to the stub resolver.
Furthermore, some caching servers record the authoritative server as
lame for the zone and will not use it for a certain period of time.
With this type of caching server, even if the stub resolver falls
back to querying for an A RR, the caching server will simply return a
response with the RCODE being SERVFAIL, since all the servers are
known to be "lame."
There is also an implementation that relaxes the behavior a little
bit. It basically tries to avoid using the lame server, but still
continues to try it as a last resort. With this type of caching
server, the stub resolver will get a correct response if it falls
back after SERVFAIL. However, this still causes redundant AAAA
queries as explained in the previous sections.
4.5 Ignore Queries for AAAA
Some authoritative severs seem to ignore queries for a AAAA RR,
causing a delay at the stub resolver to fall back to a query for an A
RR. This behavior may even cause a fatal timeout at the resolver.
Morishita & Jinmei Expires July 11, 2004 [Page 4]
Internet-Draft Common Misbehavior against AAAA Queries January 2004
5. Security Considerations
The CERT/CC pointed out that the response with NXDOMAIN described in
Section 4.1 can be used for a denial of service attack [2]. The same
argument applies to the case of "lame delegation" described in
Section 4.4 with a certain type of caching server.
6. Acknowledgements
Erik Nordmark encouraged the authors to publish this document as an
Internet Draft. Akira Kato and Paul Vixie reviewed a preliminary
version of this document. Pekka Savola carefully reviewed a previous
version and provided detailed comments.
Informative References
[1] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", RFC
1034, November 1987.
[2] The CERT Coordination Center, "Incorrect NXDOMAIN responses from
AAAA queries could cause denial-of-service conditions", March
2003, <http://www.kb.cert.org/vuls/id/714121>.
Authors' Addresses
MORISHITA Orange Yasuhiro
Research and Development Department, Japan Registry Service Co.,Ltd.
Fuundo Bldg 3F, 1-2 Kanda-Ogawamachi
Chiyoda-ku, Tokyo 101-0052
Japan
EMail: yasuhiro@jprs.co.jp
JINMEI Tatuya
Corporate Research & Development Center, Toshiba Corporation
1 Komukai Toshiba-cho, Saiwai-ku
Kawasaki-shi, Kanagawa 212-8582
Japan
EMail: jinmei@isl.rdc.toshiba.co.jp
Appendix A. Live Examples
In this appendix, we show concrete implementations and domain names
that may cause problematic cases so that the behavior can be
reproduced in a practical environment. The examples are for
Morishita & Jinmei Expires July 11, 2004 [Page 5]
Internet-Draft Common Misbehavior against AAAA Queries January 2004
informational purposes only, and the authors do not intend to accuse
any implementations or zone administrators.
The behavior described in Section 4.2 (return NOTIMP) can be found by
looking for a AAAA RR of www.css.vtext.com at 66.174.3.4.
The behavior described in Section 4.3 (broken responses) can be seen
by querying for a AAAA RR of "www.gslb.mainichi.co.jp," which is an
alias of "www.mainichi.co.jp," at 210.173.172.2. The same behavior
can be found with the name "vip.alt.ihp.sony.co.jp," an alias of
"www.sony.co.jp," at 210.139.255.204.
The behavior described in Section 4.4 (lame delegation) can be found
by querying for a AAAA RR of "www.ual.com" at 209.87.113.4.
The behavior described in Section 4.5 (ignore queries) can be seen by
trying to ask for a AAAA RR of "ad.3jp.doubleclick.net," which is an
alias of "ad.jp.doubleclick.net," at 210.153.90.9.
Many authoritative server implementations show the expected behavior
described in Section 3. Some DNS load balancers reportedly have a
problematic behavior shown in Section 4, but the authors do not have
a concrete example. The CERT/CC provides a list of implementations
that behave as described in Section 4.1 [2].
The BIND9 caching server implementation is an example of the latter
cases described in Section 4.3 and Section 4.4, respectively. The
BIND8 caching server implementation is an example of the former case
described in Section 4.3. As for the issue shown in Section 4.4,
BIND8 caching servers prior to 8.3.5 show the behavior described as
the former case in this section. The versions 8.3.5 and later of
BIND8 caching server behave like the BIND9 caching server
implementation with this matter.
Regarding resolver implementations, the authors are only familiar
with the ones derived from the BIND implementation. These
implementations always fall back regardless of the RCODE; NXDOMAIN,
NOTIMP, or SERVFAIL. It even falls back when getting a broken
response. However, the behavior does not help the situation in the
NXDOMAIN case (see Section 4.1). Lame delegation (Section 4.4) also
causes a fatal error at the resolver side if the resolver is using
some older versions of BIND8 caching server.
The authors hear that a stub resolver routine implemented in some web
browsers interprets the broken response described in Section 4.3 as a
fatal error and does not fall back to A queries. However, we have not
confirmed this information.
Morishita & Jinmei Expires July 11, 2004 [Page 6]
Internet-Draft Common Misbehavior against AAAA Queries January 2004
Appendix B. Change History
Changes since draft-morishita-dnsop-misbehavior-against-aaaa-00 are:
o Made a separate appendix and moved live examples to appendix so
that we can remove them when this document is (ever) officially
published.
o Revised some live examples based on the recent status.
o Noted in introduction that the misbehavior is not specific to AAAA
and that this document still concentrates on the AAAA case.
o Changed the section title of "delegation loop" to "lame
delegation" in order to reflect the essential point of the issue.
Wording on this matter was updated accordingly.
o Updated the Acknowledgements list.
o Changed the reference category from normative to informative (this
is an informational document after all).
o Changed the draft name to an IETF dnsop working group document (as
agreed).
o Applied several editorial fixes.
Morishita & Jinmei Expires July 11, 2004 [Page 7]
Internet-Draft Common Misbehavior against AAAA Queries January 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
Morishita & Jinmei Expires July 11, 2004 [Page 8]
Internet-Draft Common Misbehavior against AAAA Queries January 2004
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Morishita & Jinmei Expires July 11, 2004 [Page 9]

451
doc/draft/draft-ietf-dnsop-misbehavior-against-aaaa-02.txt Normal file
View file

@ -0,0 +1,451 @@
IETF DNSOP Working Group Y. Morishita
Internet-Draft JPRS
Expires: April 23, 2005 T. Jinmei
Toshiba
October 23, 2004
Common Misbehavior against DNS Queries for IPv6 Addresses
draft-ietf-dnsop-misbehavior-against-aaaa-02.txt
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 23, 2005.
Copyright Notice
Copyright (C) The Internet Society (2004).
Abstract
There is some known misbehavior of DNS authoritative servers when
they are queried for AAAA resource records. Such behavior can block
IPv4 communication which should actually be available, cause a
significant delay in name resolution, or even make a denial of
service attack. This memo describes details of the known cases and
discusses the effect of the cases.
Morishita & Jinmei Expires April 23, 2005 [Page 1]
Internet-Draft Common Misbehavior against AAAA Queries October 2004
1. Introduction
Many existing DNS clients (resolvers) that support IPv6 first search
for AAAA Resource Records (RRs) of a target host name, and then for A
RRs of the same name. This fallback mechanism is based on the DNS
specifications, which if not obeyed by authoritative servers can
produce unpleasant results. In some cases, for example, a web
browser fails to connect to a web server it could otherwise reach.
In the following sections, this memo describes some typical cases of
such misbehavior and its (bad) effects.
Note that the misbehavior is not specific to AAAA RRs. In fact, all
known examples also apply to the cases of queries for MX, NS, and SOA
RRs. The authors even believe this can be generalized for all types
of queries other than those for A RRs. In this memo, however, we
concentrate on the case for AAAA queries, since the problem is
particularly severe for resolvers that support IPv6, which thus
affects many end users. Resolvers at end users normally send A
and/or AAAA queries only, and so the problem for the other cases is
relatively minor.
2. Network Model
In this memo, we assume a typical network model of name resolution
environment using DNS. It consists of three components; stub
resolvers, caching servers, and authoritative servers. A stub
resolver issues a recursive query to a caching server, which then
handles the entire name resolution procedure recursively. The
caching server caches the result of the query as well as sends the
result to the stub resolver. The authoritative servers respond to
queries for names for which they have the authority, normally in a
non-recursive manner.
3. Expected Behavior
Suppose that an authoritative server has an A RR but not a AAAA RR
for a host name. Then the server should return a response to a query
for a AAAA RR of the name with the response code (RCODE) being 0
(indicating no error) and with an empty answer section (see Sections
4.3.2 and 6.2.4 of [1]). Such a response indicates that there is at
least one RR of a different type than AAAA for the queried name, and
the stub resolver can then look for A RRs.
This way, the caching server can cache the fact that the queried name
does not have a AAAA RR (but may have other types of RRs), and thus
can improve the response time to further queries for a AAAA RR of the
name.
Morishita & Jinmei Expires April 23, 2005 [Page 2]
Internet-Draft Common Misbehavior against AAAA Queries October 2004
4. Problematic Behaviors
There are some known cases at authoritative servers that do not
conform to the expected behavior. This section describes those
problematic cases.
4.1 Ignore Queries for AAAA
Some authoritative servers seem to ignore queries for a AAAA RR,
causing a delay at the stub resolver to fall back to a query for an A
RR. This behavior may even cause a fatal timeout at the resolver or
at the application which calls the resolver. Even if the resolver
eventually falls back, the result can be an unacceptable delay for
the application user, especially with interactive applications like
web browsing.
4.2 Return "Name Error"
This type of server returns a response with the RCODE being 3 ("Name
Error") to a query for a AAAA RR, indicating it does not have any RRs
of any type for the queried name.
With this response, the stub resolver may immediately give up and
never fall back. Even if the resolver retries with a query for an A
RR, the negative response for the name has been cached in the caching
server, and the caching server will simply return the negative
response. As a result, the stub resolver considers this as a fatal
error in name resolution.
There have been several known examples of this behavior, but all the
examples that the authors know have fixed their behavior as of this
writing.
4.3 Return Other Erroneous Codes
Other authoritative servers return a response with other erroneous
response codes than RCODE 3 ("Name Error"). One well-known such
RCODE is 4 ("Not Implemented"), indicating the servers do not support
the requested type of query.
These cases are less harmful than the previous one; if the stub
resolver falls back to querying for an A RR, the caching server will
process the query correctly and return an appropriate response.
However, these can still cause a serious effect. There was an
authoritative server implementation that returned RCODE 2 ("Server
failure") to queries for AAAA RRs. One widely deployed mail server
Morishita & Jinmei Expires April 23, 2005 [Page 3]
Internet-Draft Common Misbehavior against AAAA Queries October 2004
implementation with a certain type of resolver library interpreted
this result as an indication of retry and did not fall back to
queries for A RRs, causing failure of message delivery.
If the caching server receives a response with these response codes,
it does not cache the fact that the queried name has no AAAA RR,
resulting in redundant queries for AAAA RRs in the future. The
behavior will waste network bandwidth and increase the load of the
authoritative server.
Using RCODE 1 ("Format error") would cause a similar effect, though
the authors have not seen such implementations yet.
4.4 Return a Broken Response
Another different type of authoritative servers returns broken
responses to AAAA queries. A known behavior of this category is to
return a response whose RR type is AAAA, but the length of the RDATA
is 4 bytes. The 4-byte data looks like the IPv4 address of the
queried host name. That is, the RR in the answer section would be
described like this:
www.bad.example. 600 IN AAAA 192.0.2.1
which is, of course, bogus (or at least meaningless).
A widely deployed caching server implementation transparently returns
the broken response (as well as caches it) to the stub resolver.
Another known server implementation parses the response by
themselves, and sends a separate response with the RCODE being 2
("Server failure").
In either case, the broken response does not affect queries for an A
RR of the same name. If the stub resolver falls back to A queries,
it will get an appropriate response.
The latter case, however, causes the same bad effect as that
described in the previous section: redundant queries for AAAA RRs.
4.5 Make Lame Delegation
Some authoritative servers respond to AAAA queries in a way causing
lame delegation. In this case the parent zone specifies that the
authoritative server should have the authority of a zone, but the
server does not return an authoritative response for AAAA queries
within the zone (i.e., the AA bit in the response is not set). On
the other hand, the authoritative server returns an authoritative
response for A queries.
Morishita & Jinmei Expires April 23, 2005 [Page 4]
Internet-Draft Common Misbehavior against AAAA Queries October 2004
When a caching server asks the server for AAAA RRs in the zone, it
recognizes the delegation is lame, and returns a response with the
RCODE being 2 ("Server failure") to the stub resolver.
Furthermore, some caching servers record the authoritative server as
lame for the zone and will not use it for a certain period of time.
With this type of caching server, even if the stub resolver falls
back to querying for an A RR, the caching server will simply return a
response with the RCODE being 2, since all the servers are known to
be "lame."
There is also an implementation that relaxes the behavior a little
bit. It basically tries to avoid using the lame server, but still
continues to try it as a last resort. With this type of caching
server, the stub resolver will get a correct response if it falls
back after Sever failure. However, this still causes redundant AAAA
queries as explained in the previous sections.
5. Security Considerations
The CERT/CC pointed out that the response with RCODE 3 ("Name Error")
described in Section 4.2 can be used for a denial of service attack
[2]. The same argument applies to the case of "lame delegation"
described in Section 4.5 with a certain type of caching server.
6. Acknowledgements
Erik Nordmark encouraged the authors to publish this document as an
Internet Draft. Akira Kato and Paul Vixie reviewed a preliminary
version of this document. Pekka Savola carefully reviewed a previous
version and provided detailed comments. Bill Fenner, Scott
Hollenbeck, Thomas Narten, and Alex Zinin reviewed and helped improve
the document at the last stage for publication.
7 Informative References
[1] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", RFC
1034, November 1987.
[2] The CERT Coordination Center, "Incorrect NXDOMAIN responses from
AAAA queries could cause denial-of-service conditions", March
2003, <http://www.kb.cert.org/vuls/id/714121>.
Morishita & Jinmei Expires April 23, 2005 [Page 5]
Internet-Draft Common Misbehavior against AAAA Queries October 2004
Authors' Addresses
MORISHITA Orange Yasuhiro
Research and Development Department, Japan Registry Service Co.,Ltd.
Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda
Chiyoda-ku, Tokyo 101-0065
Japan
EMail: yasuhiro@jprs.co.jp
JINMEI Tatuya
Corporate Research & Development Center, Toshiba Corporation
1 Komukai Toshiba-cho, Saiwai-ku
Kawasaki-shi, Kanagawa 212-8582
Japan
EMail: jinmei@isl.rdc.toshiba.co.jp
Appendix A. Change History
[NOTE TO RFC EDITOR: PLEASE REMOVE THIS SECTION UPON PUBLICATION.]
Changes since draft-morishita-dnsop-misbehavior-against-aaaa-00 are:
o Made a separate appendix and moved live examples to appendix so
that we can remove them when this document is (ever) officially
published.
o Revised some live examples based on the recent status.
o Noted in introduction that the misbehavior is not specific to AAAA
and that this document still concentrates on the AAAA case.
o Changed the section title of "delegation loop" to "lame
delegation" in order to reflect the essential point of the issue.
Wording on this matter was updated accordingly.
o Updated the Acknowledgements list.
o Changed the reference category from normative to informative (this
is an informational document after all).
o Changed the draft name to an IETF dnsop working group document (as
agreed).
o Applied several editorial fixes.
Changes since draft-ietf-dnsop-misbehavior-against-aaaa-00 are:
o Removed the appendix talking about live examples since these were
not appropriate for official publication.
o Added a note to rfc editor asking to remove this section upon
publication.
Morishita & Jinmei Expires April 23, 2005 [Page 6]
Internet-Draft Common Misbehavior against AAAA Queries October 2004
Changes since draft-ietf-dnsop-misbehavior-against-aaaa-01 are:
o Used the standard keywords for describing RCODEs.
o Provided more specific references for RFC1034.
o Described an additional known issue regarding RCODE 2 ("Server
failure"). Also changed the section title accordingly.
o Moved the "Ignore Queries" section to the first of Section 4,
since it looks the most widely seen misbehavior.
Morishita & Jinmei Expires April 23, 2005 [Page 7]
Internet-Draft Common Misbehavior against AAAA Queries October 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Morishita & Jinmei Expires April 23, 2005 [Page 8]