draft-ietf-dnsop-qname-minimisation-02.txt   draft-ietf-dnsop-qname-minimisation-03.txt 
Domain Name System Operations (dnsop) Working Group S. Bortzmeyer Domain Name System Operations (dnsop) Working Group S. Bortzmeyer
Internet-Draft AFNIC Internet-Draft AFNIC
Intended status: Experimental March 4, 2015 Intended status: Experimental June 7, 2015
Expires: September 5, 2015 Expires: December 9, 2015
DNS query name minimisation to improve privacy DNS query name minimisation to improve privacy
draft-ietf-dnsop-qname-minimisation-02 draft-ietf-dnsop-qname-minimisation-03
Abstract Abstract
This document describes one of the techniques that could be used to This document describes one of the techniques that could be used to
improve DNS privacy (see [I-D.ietf-dprive-problem-statement]), a improve DNS privacy (see [I-D.ietf-dprive-problem-statement]), a
technique called "qname minimisation". technique called "QNAME minimisation", where the DNS resolver no
longer sends the full original QNAME to the upstream name server.
REMOVE BEFORE PUBLICATION Discussions of the document should take REMOVE BEFORE PUBLICATION Discussions of the document should take
place on the DNSOP working group mailing list [dnsop]. place on the DNSOP working group mailing list [dnsop].
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 5, 2015. This Internet-Draft will expire on December 9, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction and background . . . . . . . . . . . . . . . . . 2 1. Introduction and background . . . . . . . . . . . . . . . . . 2
2. Qname minimisation . . . . . . . . . . . . . . . . . . . . . 2 2. QNAME minimisation . . . . . . . . . . . . . . . . . . . . . 3
3. Operational considerations . . . . . . . . . . . . . . . . . 3 3. Possible issues . . . . . . . . . . . . . . . . . . . . . . . 3
4. Performance implications . . . . . . . . . . . . . . . . . . 5 4. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Security considerations . . . . . . . . . . . . . . . . . . . 6 5. Operational considerations . . . . . . . . . . . . . . . . . 5
6. Implementation status - REMOVE BEFORE PUBLICATION . . . . . . 6 6. Performance considerations . . . . . . . . . . . . . . . . . 5
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 7. Security considerations . . . . . . . . . . . . . . . . . . . 6
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 8. Implementation status - REMOVE BEFORE PUBLICATION . . . . . . 6
8.1. Normative References . . . . . . . . . . . . . . . . . . 7 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7
8.2. Informative References . . . . . . . . . . . . . . . . . 7 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . 7
Appendix A. An algorithm to find the zone cut . . . . . . . . . 8 10.2. Informative References . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Appendix A. An algorithm to find the zone cut . . . . . . . . . 9
Appendix B. Alternatives . . . . . . . . . . . . . . . . . . . . 10
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction and background 1. Introduction and background
The problem statement is exposed in The problem statement is exposed in
[I-D.ietf-dprive-problem-statement] TODO: add a reference to the [I-D.ietf-dprive-problem-statement] TODO: add a reference to the
specific section when ietf-dprive-problem-statement will be published specific section when ietf-dprive-problem-statement will be published
as RFC. The terminology ("qname", "resolver", etc) is also defined as RFC. The terminology ("QNAME", "resolver", etc) is also defined
in this companion document. This specific solution is not intended in this companion document. This specific solution is not intended
to fully solve the DNS privacy problem; instead, it should be viewed to fully solve the DNS privacy problem; instead, it should be viewed
as one tool amongst many. as one tool amongst many.
It follows the principle explained in section 6.1 of [RFC6973]: the It follows the principle explained in section 6.1 of [RFC6973]: the
less data you send out, the fewer privacy problems you'll get. less data you send out, the fewer privacy problems you'll get.
2. Qname minimisation Under current practice, when a resolver receives the query "What is
the AAAA record for www.example.com?", it sends to the root (assuming
a cold resolver, whose cache is empty) the very same question.
Sending the full QNAME to the authoritative name server is a
tradition, not a protocol requirement. This tradition
comes[mockapetris-history] from a desire to optimize the number of
requests, when the same name server is authoritative for many zones
in a given name (something which was more common in the old days,
where the same name servers served .com and the root) or when the
same name server is both recursive and authoritative (something which
is strongly discouraged now). Whatever the merits of this choice at
this time, the DNS is quite different now.
The idea is to minimise the amount of data sent from the DNS 2. QNAME minimisation
resolver. Under current practice, when a resolver receives the query
"What is the AAAA record for www.example.com?", it sends to the root The idea is to minimise the amount of data sent from the DNS resolver
(assuming a cold resolver, whose cache is empty) the very same to the authoritative name server. In the example in the previous
question. Sending "What are the NS records for .com?" would be section, sending "What are the NS records for .com?" would have been
sufficient (since it will be the answer from the root anyway). This sufficient (since it will be the answer from the root anyway). The
is compatible with the current DNS system and therefore can easily be rest of this section describes the recommended way to do QNAME
deployed; since it is a unilateral change to the resolver, it does minimisation, the one which maximimes privacy benefits (other
not change the protocol. Because of that, resolver implementers may alternatives are discussed in appendixes).
do qname minmisation in slightly different ways.
A resolver which implements QNAME minimisation, and which does not
have already the answer in its cache, instead of sending the full
QNAME and the original QTYPE upstream, sends a request to the name
server authoritative for the closest known parent of the original
QNAME. The request is done with:
the QTYPE NS,
the QNAME which is the original QNAME, stripped to just one label
more than the zone for which the server is authoritative.
For example, a resolver receives a request to resolve
foo.bar.baz.example. Let's assume it already knows that
ns1.nic.example is authoritative for .example and the resolver does
not know a more specific authoritative name server. It will send the
query QTYPE=NS,QNAME=baz.example to ns1.nic.example.
To do such minimisation, the resolver needs to know the zone cut To do such minimisation, the resolver needs to know the zone cut
[RFC2181]. Zone cuts do not necessarily exist at every label [RFC2181]. Zone cuts do not necessarily exist at every label
boundary. If we take the name www.foo.bar.example, it is possible boundary. If we take the name www.foo.bar.example, it is possible
that there is a zone cut between "foo" and "bar" but not between that there is a zone cut between "foo" and "bar" but not between
"bar" and "example". So, assuming the resolver already knows the "bar" and "example". So, assuming the resolver already knows the
name servers of .example, when it receives the query "What is the name servers of .example, when it receives the query "What is the
AAAA record of www.foo.bar.example", it does not always know whether AAAA record of www.foo.bar.example", it does not always know whether
the request should be sent to the name servers of bar.example or to the request should be sent to the name servers of bar.example or to
those of example. [RFC2181] suggests a method to find the zone cut those of example. [RFC2181] suggests a method to find the zone cut
(section 6), so resolvers may try it. (section 6), so resolvers may try it.
Note that DNSSEC-validating resolvers already have access to this Note that DNSSEC-validating resolvers already have access to this
information, since they have to find the zone cut (the DNSKEY record information, since they have to find the zone cut (the DNSKEY record
set is just below, the DS record set just above). set is just below, the DS record set just above).
One should note that the behaviour suggested here (minimising the 3. Possible issues
amount of data sent in qnames from the resolver) is NOT forbidden by
the [RFC1034] (section 5.3.3) or [RFC1035] (section 7.2). Sending
the full qname to the authoritative name server is a tradition, not a
protocol requirement. This tradition comes[mockapetris-history] from
a desire to optimize the number of requests, when the same name
server is authoritative for many zones in a given name (something
which was more common in the old days, where the same name servers
served .com and the root) or when the same name server is both
recursive and authoritative (something which is strongly discouraged
now). Whatever the merits of this choice at this time, the DNS is
quite different now.
It may be noticed that many documents explaining the DNS and intended
for a wide audience, incorrectly describe the resolution process as
using qname minimisation, for instance by showing a request going to
the root, with just the TLD in the query. As a result, these
documents may confuse the privacy analysis of the users who see them.
As mentioned before, there are several ways to implement qname
minimisation. Two main strategies are the aggressive one and the
lazy one. In the aggressive one, the resolver only sends NS queries
as long as it does not know the zone cuts. This is the safest, from
a privacy point of view. The lazy way "piggybacks" on the
traditional resolution code. It sends traditional full qnames and
learns the zone cuts from the referrals received, then switches to NS
queries asking only for the minimum domain name. This leaks more
data but probably requires fewer changes in the existing resolver
codebase.
3. Operational considerations
The administrators of the forwarders, and of the authoritative name QNAME minimisation is legal, since the original DNS RFC do not
servers, will get less data, which will reduce the utility of the mandate sending the full QNAME. So, in theory, it should work
statistics they can produce (such as the percentage of the various without any problems. However, in practice, some problems may occur
qtypes). On the other hand, it may decrease their legal (see an analysis in [huque-qnamemin]).
responsibility in some jurisdictions. (TODO: do we keep any mention
of legal issues? We're not lawyers.)
Some broken name servers do not react properly to qtype=NS requests. Some broken name servers do not react properly to qtype=NS requests.
For instance, some authoritative name servers embedded in load For instance, some authoritative name servers embedded in load
balancers reply properly to A queries but send REFUSED to NS queries. balancers reply properly to A queries but send REFUSED to NS queries.
REMOVE THIS SENTENCE BEFORE PUBLICATION: As an example of today, look REMOVE THIS SENTENCE BEFORE PUBLICATION: As an example of today, look
at www.ratp.fr (not ratp.fr). This behaviour is a gross protocol at www.ratp.fr (not ratp.fr). This behaviour is a gross protocol
violation, and there is no need to stop improving the DNS because of violation, and there is no need to stop improving the DNS because of
such brokenness. However, qname minimisation may still work with such brokenness. However, QNAME minimisation may still work with
such domains since they are only leaf domains (no need to send them such domains since they are only leaf domains (no need to send them
NS requests). Such setup breaks more than just qname minimisation. NS requests). Such setup breaks more than just QNAME minimisation.
It breaks negative answers, since the servers don't return the It breaks negative answers, since the servers don't return the
correct SOA, and it also breaks anything dependent upon NS and SOA correct SOA, and it also breaks anything dependent upon NS and SOA
records existing at the top of the zone. records existing at the top of the zone.
A problem can also appear when a name server does not react properly A problem can also appear when a name server does not react properly
to ENT (Empty Non-Terminals). If ent.example.com has no resource to ENT (Empty Non-Terminals). If ent.example.com has no resource
records but foobar.ent.example.com does, then ent.example.com is an records but foobar.ent.example.com does, then ent.example.com is an
ENT. A query, whatever the qtype, for ent.example.com must return ENT. A query, whatever the qtype, for ent.example.com must return
NODATA (NOERROR / ANSWER: 0). However, some broken name servers NODATA (NOERROR / ANSWER: 0). However, some broken name servers
return NXDOMAIN for ENTs. REMOVE THIS SENTENCE BEFORE PUBLICATION: return NXDOMAIN for ENTs. REMOVE THIS SENTENCE BEFORE PUBLICATION:
As an example of today, look at com.akadns.net or www.upenn.edu with As an example of today, look at com.akadns.net or www.upenn.edu with
its delegations to Akamai. If a resolver queries only its delegations to Akamai. If a resolver queries only
foobar.ent.example.com, everything will be OK but, if it implements foobar.ent.example.com, everything will be OK but, if it implements
qname minimisation, it may query ent.example.com and get a NXDOMAIN. QNAME minimisation, it may query ent.example.com and get a NXDOMAIN.
See also section 3 of [I-D.vixie-dnsext-resimprove] for the other bad See also section 3 of [I-D.vixie-dnsext-resimprove] for the other bad
consequences of this brokenness. consequences of this brokenness.
Another way to deal with such broken name servers would be to try Another way to deal with such broken name servers would be to try
with A requests (A being chosen because it is the most common and with QTYPE=A requests (A being chosen because it is the most common
hence a qtype which will be always accepted, while a qtype NS may and hence a qtype which will be always accepted, while a qtype NS may
ruffle the feathers of some middleboxes). Instead of querying name ruffle the feathers of some middleboxes). Instead of querying name
servers with a query "NS example.com", we could use "A _.example.com" servers with a query "NS example.com", we could use "A _.example.com"
and see if we get a referral. and see if we get a referral.
Other strange and illegal practices may pose a problem: there is a Other strange and non-conformant practices may pose a problem: there
common DNS anti-pattern used by low-end web hosters that also do DNS is a common DNS anti-pattern used by low-end web hosters that also do
hosting that exploits the fact that the DNS protocol (pre-DNSSEC) DNS hosting that exploits the fact that the DNS protocol (pre-DNSSEC)
allows certain serious misconfigurations, such as parent and child allows certain serious misconfigurations, such as parent and child
zones disagreeing on the location of a zone cut. Basically, they zones disagreeing on the location of a zone cut. Basically, they
have a single zone with wildcards for each TLD like: have a single zone with wildcards for each TLD like:
*.example. 60 IN A 192.0.2.6 *.example. 60 IN A 192.0.2.6
(It is not known why they don't just wildcard all of "*." and be done (It is not known why they don't just wildcard all of "*." and be done
with it.) with it.)
This lets them turn up many web hosting customers without having to This lets them turn up many web hosting customers without having to
configure thousands of individual zones on their nameservers. They configure thousands of individual zones on their nameservers. They
just tell the prospective customer to point their NS records at the just tell the prospective customer to point their NS records at the
hoster's nameservers, and the Web hoster doesn't have to provision hoster's nameservers, and the Web hoster doesn't have to provision
anything in order to make the customer's domain resolve. NS queries anything in order to make the customer's domain resolve. NS queries
to the hoster will therefore do not give the right result, which may to the hoster will therefore do not give the right result, which may
endanger qname minimisation (it will be a problem for DNSSEC, too). endanger QNAME minimisation (it will be a problem for DNSSEC, too).
Qname minimisation can decrease performance in some cases, for 4. Discussion
instance for a deep domain name (like
www.host.group.department.example.com where
host.group.department.example.com is hosted on example.com's name
servers). For such a name, a cold resolver will, depending how qname
minimisation is implemented, send more queries. Once the cache is
warm, there will be no difference with a traditional resolver. A
possible solution is to always use the traditional algorithm when the
cache is cold and then to move to qname minimisation. This will
decrease the privacy a bit but will guarantee no degradation of
performance.
Another useful optimisation may be, in the spirit of the HAMMER idea QNAME minimisation is compatible with the current DNS system and
[I-D.wkumari-dnsop-hammer] to probe in advance for the introduction therefore can easily be deployed; since it is a unilateral change to
of zone cuts where none previously existed (i.e. confirm their the resolver, it does not change the protocol. (Because of that,
continued absence, or discover them.) resolver implementers may do QNAME minimisation in slightly different
ways, see the appendices for examples.).
4. Performance implications One should note that the behaviour suggested here (minimising the
amount of data sent in QNAMEs from the resolver) is NOT forbidden by
the [RFC1034] (section 5.3.3) or [RFC1035] (section 7.2). As said in
Section 1, the current method, sending the full QNAME, is not
mandated by the DNS protocol.
The main goal of qname minimisation is to improve privacy by sending It may be noticed that many documents explaining the DNS and intended
for a wide audience, incorrectly describe the resolution process as
using QNAME minimisation, for instance by showing a request going to
the root, with just the TLD in the query. As a result, these
documents may confuse the privacy analysis of the users who see them.
5. Operational considerations
The administrators of the forwarders, and of the authoritative name
servers, will get less data, which will reduce the utility of the
statistics they can produce (such as the percentage of the various
QTYPEs) [kaliski-minimum].
DNS administrators are reminded that the data on DNS requests that
they store may have legal consequences, depending on your
jurisdiction (check with your local lawyer).
6. Performance considerations
The main goal of QNAME minimisation is to improve privacy by sending
less data. However, it may have other advantages. For instance, if less data. However, it may have other advantages. For instance, if
a root name server receives a query from some resolver for A.CORP a root name server receives a query from some resolver for A.example
followed by B.CORP followed by C.CORP, the result will be three followed by B.example followed by C.example, the result will be three
NXDOMAINs, since .CORP does not exist in the root zone. Under query NXDOMAINs, since .example does not exist in the root zone. Under
name minimisation, the root name servers would hear only one question query name minimisation, the root name servers would hear only one
(for .CORP itself) to which they could answer NXDOMAIN, thus opening question (for .example itself) to which they could answer NXDOMAIN,
up a negative caching opportunity in which the full resolver could thus opening up a negative caching opportunity in which the full
know a priori that neither B.CORP or C.CORP could exist. Thus in resolver could know a priori that neither B.example or C.example
this common case the total number of upstream queries under qname could exist. Thus in this common case the total number of upstream
minimisation would be counter-intuitively inferior to the number of queries under QNAME minimisation would be counter-intuitively less
queries under the traditional iteration (as described in the DNS than the number of queries under the traditional iteration (as
standard). described in the DNS standard).
Qname minimisation may also improve look-up performance for TLD QNAME minimisation may also improve look-up performance for TLD
operators. For a typical TLD, delegation-only, and with delegations operators. For a typical TLD, delegation-only, and with delegations
just under the TLD, a 2-label QNAME query is optimal for finding the just under the TLD, a 2-label QNAME query is optimal for finding the
delegation owner name. delegation owner name.
5. Security considerations QNAME minimisation can decrease performance in some cases, for
instance for a deep domain name (like
www.host.group.department.example.com where
host.group.department.example.com is hosted on example.com's name
servers). For such a name, a cold resolver will, depending how QNAME
minimisation is implemented, send more queries. Once the cache is
warm, there will be no difference with a traditional resolver. A
possible solution is to always use the traditional algorithm when the
cache is cold and then to move to QNAME minimisation. This will
decrease the privacy a bit but will guarantee no degradation of
performance. Actual testing is described in [huque-qnamemin]. Such
deep domains are specially common under ip6.arpa.
Qname minimisation's benefits are clear in the case where you want to 7. Security considerations
QNAME minimisation's benefits are clear in the case where you want to
decrease exposure to the authoritative name server. But minimising decrease exposure to the authoritative name server. But minimising
the amount of data sent also, in part, addresses the case of a wire the amount of data sent also, in part, addresses the case of a wire
sniffer as well the case of privacy invasion by the servers. sniffer as well the case of privacy invasion by the servers.
(Encryption is of course a better defense against wire sniffers but, (Encryption is of course a better defense against wire sniffers but,
unlike qname minimisation, it changes the protocol and cannot be unlike QNAME minimisation, it changes the protocol and cannot be
deployed unilaterally.) deployed unilaterally. Also, the effect of QNAME minimisation on
wire sniffers depend on whether the sniffer is, on the DNS path.)
Qname minimisation offers zero protection against the recursive QNAME minimisation offers zero protection against the recursive
resolver, which still sees the full request coming from the stub resolver, which still sees the full request coming from the stub
resolver. resolver.
At this stage, this document does not recommend one of the two qname 8. Implementation status - REMOVE BEFORE PUBLICATION
minimisation approaches (aggressive or lazy) against the other.
No security consequence (besides privacy improvment) is known at this
time.
6. Implementation status - REMOVE BEFORE PUBLICATION
This section records the status of known implementations of the This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in [RFC6982]. Internet-Draft, and is based on a proposal described in [RFC6982].
The description of implementations in this section is intended to The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to assist the IETF in its decision processes in progressing drafts to
RFCs. Please note that the listing of any individual implementation RFCs. Please note that the listing of any individual implementation
here does not imply endorsement by the IETF. Furthermore, no effort here does not imply endorsement by the IETF. Furthermore, no effort
has been spent to verify the information presented here that was has been spent to verify the information presented here that was
supplied by IETF contributors. This is not intended as, and must not supplied by IETF contributors. This is not intended as, and must not
skipping to change at page 6, line 47 skipping to change at page 7, line 15
features. Readers are advised to note that other implementations may features. Readers are advised to note that other implementations may
exist. exist.
According to [RFC6982], "this will allow reviewers and working groups According to [RFC6982], "this will allow reviewers and working groups
to assign due consideration to documents that have the benefit of to assign due consideration to documents that have the benefit of
running code, which may serve as evidence of valuable experimentation running code, which may serve as evidence of valuable experimentation
and feedback that have made the implemented protocols more mature. and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as It is up to the individual working groups to use this information as
they see fit". they see fit".
As of today, no production resolver implements qname minimisation. As of today, no production resolver implements QNAME minimisation but
For Unbound, see ticket 648 [1]. it has been publically announced for the future Knot DNS resolver
[1]. For Unbound, see ticket 648 [2] and for PowerDNS [3].
The algorithm to find the zone cuts described in Appendix A is The algorithm to find the zone cuts described in Appendix A is
implemented with qname minimisation in the sample code zonecut.go implemented with QNAME minimisation in the sample code zonecut.go
[4]. It is also implemented, for a much longer time, in an option of
dig, "dig +trace", but without QNAME minimisation.
[2]. It is also implemented, for a much longer time, in an option of Another implementation was done by Shumon Huque for testing, and is
dig, "dig +trace", but without qname minimisation. described in [huque-qnamemin].
7. Acknowledgments 9. Acknowledgments
Thanks to Olaf Kolkman for the original idea although the concept is Thanks to Olaf Kolkman for the original idea although the concept is
probably much older [3]. Thanks to Mark Andrews and Francis Dupont probably much older [5]. Thanks for Shumon Huque for implementation
for the interesting discussions. Thanks to Brian Dickson, Warren and testing. Thanks to Mark Andrews and Francis Dupont for the
Kumari, Evan Hunt and David Conrad for remarks and suggestions. interesting discussions. Thanks to Brian Dickson, Warren Kumari,
Thanks to Mohsen Souissi for proofreading. Thanks to Tony Finch for Evan Hunt and David Conrad for remarks and suggestions. Thanks to
the zone cut algorithm in Appendix A. Thanks to Paul Vixie for Mohsen Souissi for proofreading. Thanks to Tony Finch for the zone
pointing out that there are practical advantages (besides privacy) to cut algorithm in Appendix A. Thanks to Paul Vixie for pointing out
qname minimisation. Thanks to Phillip Hallam-Baker for the fallback that there are practical advantages (besides privacy) to QNAME
on A queries, to deal with broken servers. Thanks to Robert Edmonds minimisation. Thanks to Phillip Hallam-Baker for the fallback on A
for an interesting anti-pattern. queries, to deal with broken servers. Thanks to Robert Edmonds for
an interesting anti-pattern.
8. References 10. References
8.1. Normative References 10.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, July Considerations for Internet Protocols", RFC 6973, July
2013. 2013.
[I-D.ietf-dprive-problem-statement] [I-D.ietf-dprive-problem-statement]
Bortzmeyer, S., "DNS privacy considerations", draft-ietf- Bortzmeyer, S., "DNS privacy considerations", draft-ietf-
dprive-problem-statement-01 (work in progress), January dprive-problem-statement-05 (work in progress), May 2015.
2015.
8.2. Informative References 10.2. Informative References
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, July 1997. Specification", RFC 2181, July 1997.
[RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running [RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", RFC 6982, July Code: The Implementation Status Section", RFC 6982, July
2013. 2013.
[I-D.wkumari-dnsop-hammer] [I-D.wkumari-dnsop-hammer]
Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly Kumari, W., Arends, R., Woolf, S., and D. Migault, "Highly
skipping to change at page 8, line 28 skipping to change at page 8, line 46
[mockapetris-history] [mockapetris-history]
Mockapetris, P., "Private discussion", January 2015. Mockapetris, P., "Private discussion", January 2015.
[kaliski-minimum] [kaliski-minimum]
Kaliski, B., "Minimum Disclosure: What Information Does a Kaliski, B., "Minimum Disclosure: What Information Does a
Name Server Need to Do Its Job?", March 2015, Name Server Need to Do Its Job?", March 2015,
<http://blogs.verisigninc.com/blog/entry/ <http://blogs.verisigninc.com/blog/entry/
minimum_disclosure_what_information_does>. minimum_disclosure_what_information_does>.
8.3. URIs [huque-qnamemin]
Huque, S., "Query name minimization and authoritative
server behavior", May 2015, <https://indico.dns-
oarc.net/event/21/contribution/9>.
[1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=648 [huque-qnamestorify]
Huque, S., "Qname Minimization @ DNS-OARC", May 2015,
<https://storify.com/shuque/qname-minimization-dns-oarc>.
[2] https://github.com/bortzmeyer/my-IETF-work/blob/master/draft- 10.3. URIs
ietf-dnsop-qname-minimisation/zonecut.go
[3] https://lists.dns-oarc.net/pipermail/dns- [1] https://ripe70.ripe.net/presentations/121-knot-resolver-
ripe70.pdf
[2] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=648
[3] https://github.com/PowerDNS/pdns/issues/2311
[4] https://github.com/bortzmeyer/my-IETF-work/blob/master/draft-
ietf-dnsop-QNAME-minimisation/zonecut.go
[5] https://lists.dns-oarc.net/pipermail/dns-
operations/2010-February/005003.html operations/2010-February/005003.html
Appendix A. An algorithm to find the zone cut Appendix A. An algorithm to find the zone cut
Although a validating resolver already has the logic to find the zone Although a validating resolver already has the logic to find the zone
cut, other resolvers may be interested by this algorithm to follow in cut, other resolvers may be interested by this algorithm to follow in
order to locate this cut: order to locate this cut:
(0) If the query can be answered from the cache, do so, otherwise (0) If the query can be answered from the cache, do so, otherwise
iterate as follows: iterate as follows:
skipping to change at page 9, line 28 skipping to change at page 10, line 14
(6b) An authoritative answer. Cache the NS RRset from the (6b) An authoritative answer. Cache the NS RRset from the
answer section and go back to step 1. answer section and go back to step 1.
(6c) An NXDOMAIN answer. Return an NXDOMAIN answer in response (6c) An NXDOMAIN answer. Return an NXDOMAIN answer in response
to the original query and stop. to the original query and stop.
(6d) A NOERROR/NODATA answer. Cache this negative answer and (6d) A NOERROR/NODATA answer. Cache this negative answer and
go back to step 3. go back to step 3.
Author's Address Appendix B. Alternatives
Remember that QNAME minimisation is unilateral so a resolver is not
forced to implement it exactly as described here.
There are several ways to perform QNAME minimisation. The one in
Section 2 is the suggested one. It can be called the aggressive
algorithm, since the resolver only sends NS queries as long as it
does not know the zone cuts. This is the safest, from a privacy
point of view. Another possible algorithm, not fully studied at this
time, could be to "piggyback" on the traditional resolution code. At
startup, it sends traditional full QNAMEs and learns the zone cuts
from the referrals received, then switches to NS queries asking only
for the minimum domain name. This leaks more data but could require
fewer changes in the existing resolver codebase.
In the above specification, the original QTYPE is replaced by NS (or
may be A, if too many servers react incorrectly to NS requests),
which is the best approach to preserve privacy. But this erases
information about the relative use of the various QTYPEs, which may
be interesting for researchers (for instance if they try to follow
IPv6 deployment by counting the percentage of AAAA vs. A queries). A
variant of QNAME minimisation would be to keep the original QTYPE.
Another useful optimisation may be, in the spirit of the HAMMER idea
[I-D.wkumari-dnsop-hammer] to probe in advance for the introduction
of zone cuts where none previously existed (i.e. confirm their
continued absence, or discover them.)
Author's Address
Stephane Bortzmeyer Stephane Bortzmeyer
AFNIC AFNIC
1, rue Stephenson 1, rue Stephenson
Montigny-le-Bretonneux 78180 Montigny-le-Bretonneux 78180
France France
Phone: +33 1 39 30 83 46 Phone: +33 1 39 30 83 46
Email: bortzmeyer+ietf@nic.fr Email: bortzmeyer+ietf@nic.fr
URI: http://www.afnic.fr/ URI: http://www.afnic.fr/
 End of changes. 43 change blocks. 
142 lines changed or deleted 209 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/