draft-ietf-dnsop-qname-minimisation-00.txt   draft-ietf-dnsop-qname-minimisation-01.txt 
Network Working Group S. Bortzmeyer Domain Name System Operations (dnsop) Working Group S. Bortzmeyer
Internet-Draft AFNIC Internet-Draft AFNIC
Intended status: Informational October 22, 2014 Intended status: Experimental February 15, 2015
Expires: April 25, 2015 Expires: August 19, 2015
DNS query name minimisation to improve privacy DNS query name minimisation to improve privacy
draft-ietf-dnsop-qname-minimisation-00 draft-ietf-dnsop-qname-minimisation-01
Abstract Abstract
This document describes one of the techniques that could be used to This document describes one of the techniques that could be used to
improve DNS privacy (see [I-D.bortzmeyer-dnsop-dns-privacy]), a improve DNS privacy (see [I-D.ietf-dprive-problem-statement]), a
technique called "qname minimisation". technique called "qname minimisation".
Discussions of the document should take place on the DNSOP working Discussions of the document should take place on the DNSOP working
group mailing list [dnsop]. group mailing list [dnsop].
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2015. This Internet-Draft will expire on August 19, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction and background . . . . . . . . . . . . . . . . . 2 1. Introduction and background . . . . . . . . . . . . . . . . . 2
2. Qname minimisation . . . . . . . . . . . . . . . . . . . . . 2 2. Qname minimisation . . . . . . . . . . . . . . . . . . . . . 2
3. Operational considerations . . . . . . . . . . . . . . . . . 3 3. Operational considerations . . . . . . . . . . . . . . . . . 3
4. Other advantages . . . . . . . . . . . . . . . . . . . . . . 4 4. Performance implications . . . . . . . . . . . . . . . . . . 5
5. Security considerations . . . . . . . . . . . . . . . . . . . 5 5. Security considerations . . . . . . . . . . . . . . . . . . . 5
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1. Normative References . . . . . . . . . . . . . . . . . . 5 7.1. Normative References . . . . . . . . . . . . . . . . . . 6
7.2. Informative References . . . . . . . . . . . . . . . . . 6 7.2. Informative References . . . . . . . . . . . . . . . . . 6
Appendix A. An algorithm to find the zone cut . . . . . . . . . 6 7.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 Appendix A. An algorithm to find the zone cut . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction and background 1. Introduction and background
The problem statement is exposed in The problem statement is exposed in
[I-D.bortzmeyer-dnsop-dns-privacy]. The terminology ("qname", [I-D.ietf-dprive-problem-statement] TODO: add a reference to the
"resolver", etc) is also defined in this companion document. This specific section when ietf-dprive-problem-statement will be published
specific solution is not intended to completely solve the problem, as RFC. The terminology ("qname", "resolver", etc) is also defined
far from it. It is better to see it as one tool among a toolbox. in this companion document. This specific solution is not intended
to fully solve the DNS privacy problem; instead, it should be viewed
as one tool amongst many.
It follows the principle explained in section 6.1 of [RFC6973]: the It follows the principle explained in section 6.1 of [RFC6973]: the
less data you send out, the less privacy problems you'll get. less data you send out, the less privacy problems you'll get.
2. Qname minimisation 2. Qname minimisation
The idea is to minimise the amount of data sent from the DNS The idea is to minimise the amount of data sent from the DNS
resolver. When a resolver receives the query "What is the AAAA resolver. When a resolver receives the query "What is the AAAA
record for www.example.com?", it sends to the root (assuming a cold record for www.example.com?", it sends to the root (assuming a cold
resolver, whose cache is empty) the very same question. Sending resolver, whose cache is empty) the very same question. Sending
"What are the NS records for .com?" would be sufficient (since it "What are the NS records for .com?" would be sufficient (since it
will be the answer from the root anyway). To do so would be will be the answer from the root anyway). To do so would be
compatible with the current DNS system and therefore could be easily compatible with the current DNS system and therefore could be easily
deployable, since it is an unilateral change to the resolvers. deployable, since it is an unilateral change to the resolvers, it
does not change the protocol. Because of that, resolver implementers
may do qname minmisation in slightly different ways.
If "minimisation" is too long, you can write it "m12n". If "minimisation" is too long, you can write it "m10n".
To do such minimisation, the resolver needs to know the zone cut To do such minimisation, the resolver needs to know the zone cut
[RFC2181]. There is not a zone cut at every label boundary. If we [RFC2181]. Zone cuts do not necessarily exist at every label
take the name www.foo.bar.example, it is possible that there is a boundary. If we take the name www.foo.bar.example, it is possible
zone cut between "foo" and "bar" but not between "bar" and "example". that there is a zone cut between "foo" and "bar" but not between
So, assuming the resolver already knows the name servers of .example, "bar" and "example". So, assuming the resolver already knows the
when it receives the query "What is the AAAA record of name servers of .example, when it receives the query "What is the
www.foo.bar.example", it does not always know if the request should AAAA record of www.foo.bar.example", it does not always know if the
be sent to the name servers of bar.example or to those of example. request should be sent to the name servers of bar.example or to those
[RFC2181] suggests a method to find the zone cut (section 6), so of example. [RFC2181] suggests a method to find the zone cut
resolvers may try it. (section 6), so resolvers may try it.
Note that DNSSEC-validating resolvers already have access to this Note that DNSSEC-validating resolvers already have access to this
information, since they have to find the zone cut (the DNSKEY record information, since they have to find the zone cut (the DNSKEY record
set is just below, the DS record set just above). set is just below, the DS record set just above).
It can be noted that minimising the amount of data sent also Minimising the amount of data sent also, in part, addresses the case
partially addresses the case of a wire sniffer, not just the case of of a wire sniffer as well the case of privacy invasion by the
privacy invasion by the servers. servers.
One should note that the behaviour suggested here (minimising the One should note that the behaviour suggested here (minimising the
amount of data sent in qnames) is NOT forbidden by the [RFC1034] amount of data sent in qnames) is NOT forbidden by the [RFC1034]
(section 5.3.3) or [RFC1035] (section 7.2). Sending the full qname (section 5.3.3) or [RFC1035] (section 7.2). Sending the full qname
to the authoritative name server is a tradition, not a protocol to the authoritative name server is a tradition, not a protocol
requirment. requirment. This tradition comes[mockapetris-history] from a desire
to optimize the number of requests, when the same name server is
authoritative for many zones in a given name (something which was
more common in the old days, where the same name servers served .com
and the root) or when the same name server is both recursive and
authoritative (something which is strongly discouraged now).
Whatever the merits of this choice at this time, the DNS is quite
different now.
As mentioned before, there are several ways to implement qname
minimisation. Two main strategies are the aggressive one and the
lazy one. In the aggressive one, the resolver only sends NS queries
as long as it does not know the zone cuts. This is the safest, from
a privacy point of view. The lazy way "piggybacks" on the
traditional resolution code. It sends traditional full qnames and
learn the zone cuts from the referrals received, then switching to NS
queries. This leaks more data but probably requires less changes in
the existing resolver codebase.
3. Operational considerations 3. Operational considerations
The administrators of the forwarders, and of the authoritative name The administrators of the forwarders, and of the authoritative name
servers, will get less data, which will reduce the utility of the servers, will get less data, which will reduce the utility of the
statistics they can produce (such as the percentage of the various statistics they can produce (such as the percentage of the various
qtypes). On the other hand, it will decrease their legal qtypes). On the other hand, it may decrease their legal
responsability, in many cases. responsibility.
Some broken name servers do not react properly to qtype=NS requests. Some broken name servers do not react properly to qtype=NS requests.
As an example of today, look at www.ratp.fr (not ratp.fr), which is For instance, some authoritative name servers embedded in load
delegated to two name servers that reply properly to "A www.ratp.fr" balancers reply properly to A queries but send REFUSED to NS queries.
queries but send REFUSED to queries "NS www.ratp.fr". This behaviour REMOVE THIS SENTENCE BEFORE PUBLICATION: As an example of today, look
is a gross protocol violation and there is no need to stop improving at www.ratp.fr (not ratp.fr). This behaviour is a gross protocol
the DNS because of such brokenness. However, qname minimisation may violation, and there is no need to stop improving the DNS because of
still work with such domains since they are only leaf domains (no such brokenness. However, qname minimisation may still work with
need to send them NS requests). Anyway, such setup breaks many such domains since they are only leaf domains (no need to send them
things (besides qname minimisation), it breaks negative answers as NS requests). Such setup breaks more than just qname minimisation.
the servers don't return the correct SOA. It also breaks anything It breaks negative answers, since the servers don't return the
that depends on NS and SOA records existing at the top of the zone. correct SOA, and it also breaks anything dependent upon NS and SOA
records existing at the top of the zone.
A problem can also appear when a name server does not react properly
to ENT (Empty Non-Terminals). If ent.example.com has no resource
records but foobar.ent.example.com does, then ent.example.com is an
ENT. A query, whatever the qtype, for ent.example.com must return
NODATA (NOERROR / ANSWER: 0). However, some broken name servers
return NXDOMAIN for ENTs. REMOVE THIS SENTENCE BEFORE PUBLICATION:
As an example of today, look at com.akadns.net or www.upenn.edu with
its delegations to Akamai. If a resolver queries only
foobar.ent.example.com, everything will be OK but, if it implements
qname minimisation, it may query ent.example.com and get a NXDOMAIN.
See also section 3 of [I-D.vixie-dnsext-resimprove] for the other bad
consequences of this brokenness.
Another way to deal with such broken name servers would be to try Another way to deal with such broken name servers would be to try
with A requests (A being choosen because it is the most common and with A requests (A being chosen because it is the most common and
hence the least revealing qtype). Instead of querying name servers hence a qtype which will be always accepted, while a qtype NS may
with a query "NS example.com", we could use "A _.example.com" and see ruffle the feathers of some middleboxes). Instead of querying name
if we get a referral. servers with a query "NS example.com", we could use "A _.example.com"
and see if we get a referral.
Other strange and illegal practice may pose a problem: for instance, Other strange and illegal practices may pose a problem: for instance,
there is a common DNS anti-pattern used by low-end web hosters that there is a common DNS anti-pattern used by low-end web hosters that
also do DNS hosting that exploits the fact that the DNS protocol also do DNS hosting that exploits the fact that the DNS protocol
(pre-DNSSEC) allows certain serious misconfigurations, such as parent (pre-DNSSEC) allows certain serious misconfigurations, such as parent
and child zones disagreeing on the location of a zone cut. and child zones disagreeing on the location of a zone cut.
Basically, they have a single zone with wildcards like: Basically, they have a single zone with wildcards like:
;; ANSWER SECTION: *.example. 60 IN A 192.0.2.6
*.com. 60 IN A 74.220.199.6
; and:
;; ANSWER SECTION:
*.uk. 60 IN A 74.220.199.6
; etc.
(It is not known why they don't just wildcard all of "*." and be done (It is not known why they don't just wildcard all of "*." and be done
with it.) with it.)
This lets them turn up tons of web hosting customers without having This lets them turn up tons of web hosting customers without having
to configure thousands of individual zones on their nameservers. to configure thousands of individual zones on their nameservers.
They just tell the prospective customer to point their NS records at They just tell the prospective customer to point their NS records at
their nameservers, and the Web hoster doesn't have to provision their nameservers, and the Web hoster doesn't have to provision
anything in order to make the customer's domain resolve. anything in order to make the customer's domain resolve.
skipping to change at page 4, line 44 skipping to change at page 5, line 18
instance for a deep domain name (like instance for a deep domain name (like
www.host.group.department.example.com where www.host.group.department.example.com where
host.group.department.example.com is hosted on example.com's name host.group.department.example.com is hosted on example.com's name
servers). For such a name, a cold resolver will, depending how qname servers). For such a name, a cold resolver will, depending how qname
minimisation is implemented, send more queries. Once warm, there minimisation is implemented, send more queries. Once warm, there
will be no difference with a traditional resolver. A possible will be no difference with a traditional resolver. A possible
solution is to always use the traditional algorithm when the cache is solution is to always use the traditional algorithm when the cache is
cold and then to move to qname minimisation. This will decrease the cold and then to move to qname minimisation. This will decrease the
privacy a bit but will guarantee no degradation of performance. privacy a bit but will guarantee no degradation of performance.
4. Other advantages Another useful optimisation may be, in the spirit of the HAMMER idea
[I-D.wkumari-dnsop-hammer] to probe in advance for the introduction
of zone cuts where none previously existed (i.e. confirm their
continued absence, or discover them.)
The main goal of qname minimisation is to improve privacy, by sending 4. Performance implications
The main goal of qname minimisation is to improve privacy by sending
less data. However, it may have other advantages. For instance, if less data. However, it may have other advantages. For instance, if
a root name server receives a query from some resolver for A.CORP a root name server receives a query from some resolver for A.CORP
followed by B.CORP followed by C.CORP, the result will be three followed by B.CORP followed by C.CORP, the result will be three
NXDOMAINs, since .CORP does not exist in the root zone. Under query NXDOMAINs, since .CORP does not exist in the root zone. Under query
minimization, the root name servers would hear only one question (for name minimisation, the root name servers would hear only one question
.CORP itself) to which they could answer NXDOMAIN, thus opening up a (for .CORP itself) to which they could answer NXDOMAIN, thus opening
negative caching opportunity in which the full resolver could know a up a negative caching opportunity in which the full resolver could
priori that neither B.CORP or C.CORP could exist. Thus in this know a priori that neither B.CORP or C.CORP could exist. Thus in
common case the total number of upstream queries under query this common case the total number of upstream queries under qname
minimisation would be counter-intuitively less than the number of minimisation would be counter-intuitively less than the number of
queries under the traditional iteration (as described in the DNS queries under the traditional iteration (as described in the DNS
standard). standard).
Qname minimisation may also improve look-up performance for TLD
operators. For a typical TLD, delegation-only, and with delegations
just under the TLD, a 2-label QNAME query is optimal for finding the
delegation owner name.
5. Security considerations 5. Security considerations
No security consequence (besides privacy improvment) is known at this No security consequence (besides privacy improvment) is known at this
time. time.
6. Acknowledgments 6. Acknowledgments
Thanks to Olaf Kolkman for the original idea. Thanks to Mark Andrews Thanks to Olaf Kolkman for the original idea although the concept is
and Francis Dupont for the interesting discussions. Thanks to Mohsen probably much older [1]. Thanks to Mark Andrews and Francis Dupont
Souissi for proofreading. Thanks to Tony Finch for the zone cut for the interesting discussions. Thanks to Brian Dickson, Warren
algorithm in Appendix A. Thanks to Paul Vixie for pointing out that Kumari and David Conrad for remarks and suggestions. Thanks to
there are practical advantages (besides privacy) to qname m12n. Mohsen Souissi for proofreading. Thanks to Tony Finch for the zone
cut algorithm in Appendix A. Thanks to Paul Vixie for pointing out
that there are practical advantages (besides privacy) to qname m10n.
Thanks to Phillip Hallam-Baker for the fallback on A queries, to deal Thanks to Phillip Hallam-Baker for the fallback on A queries, to deal
with broken servers. Thanks to Robert Edmonds for an interesting with broken servers. Thanks to Robert Edmonds for an interesting
anti-pattern. anti-pattern.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, July Considerations for Internet Protocols", RFC 6973, July
2013. 2013.
[I-D.bortzmeyer-dnsop-dns-privacy] [I-D.ietf-dprive-problem-statement]
Bortzmeyer, S., "DNS privacy considerations", draft- Bortzmeyer, S., "DNS privacy considerations", draft-ietf-
bortzmeyer-dnsop-dns-privacy-02 (work in progress), April dprive-problem-statement-01 (work in progress), January
2014. 2015.
7.2. Informative References 7.2. Informative References
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997. Specification", RFC 2181, July 1997.
[dprive] IETF, , "The DPRIVE working group of IETF", March 2014, [I-D.wkumari-dnsop-hammer]
<https://datatracker.ietf.org/wg/dprive/charter/>. Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly
Automated Method for Maintaining Expiring Records", draft-
wkumari-dnsop-hammer-01 (work in progress), July 2014.
[I-D.vixie-dnsext-resimprove]
Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS
Resolvers for Resiliency, Robustness, and Responsiveness",
draft-vixie-dnsext-resimprove-00 (work in progress), June
2010.
[dnsop] IETF, , "The DNSOP working group of IETF", March 2014, [dnsop] IETF, , "The DNSOP working group of IETF", March 2014,
<https://datatracker.ietf.org/wg/dnsop/charter/>. <https://datatracker.ietf.org/wg/dnsop/charter/>.
[mockapetris-history]
Mockapetris, P., "Private discussion", January 2015.
7.3. URIs
[1] https://lists.dns-oarc.net/pipermail/dns-
operations/2010-February/005003.html
Appendix A. An algorithm to find the zone cut Appendix A. An algorithm to find the zone cut
Although a validating resolver already has the logic to find the zone Although a validating resolver already has the logic to find the zone
cut, other resolvers may be interested by this algorithm to follow in cut, other resolvers may be interested by this algorithm to follow in
order to locate this cut: order to locate this cut:
(0) If the query can be answered from the cache, do so, otherwise (0) If the query can be answered from the cache, do so, otherwise
iterate as follows: iterate as follows:
(1) Find closest enclosing NS RRset in your cache. The owner of (1) Find closest enclosing NS RRset in your cache. The owner of
 End of changes. 30 change blocks. 
80 lines changed or deleted 134 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/